Ep 1907 | 9.15.23

Peach Sandstorm cyberespionage. Criminal attacks against a Colombian telco and two major US casino firms. A thief in the browser. And the Greater Manchester Police are on a virtual manhunt.

Transcript

Dave Bittner: "Peach Sandstorm" is an Iranian cyberespionage campaign. A Cyberattack against a telecom provider affects government and corporate online operations in Colombia. Python NodeStealer takes browser credentials. Caesars Entertainment files its 8-K. Some MGM Entertainment systems remain down. Betsy Carmelite from Booz Allen talking about how to leverage cyber psychology. Ron Reiter of Sentra outlines the threats for connected cars. And a third-party incident exposes personal data of the Manchester police.

Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Friday, September 15th, 2023.

Iranian cyberespionage campaign: "Peach Sandstorm."

Dave Bittner: Microsoft warns that the Iranian state-sponsored actor Peach Sandstorm (which Microsoft formerly tracked as “HOLMIUM”) has been launching password-spraying campaigns against thousands of organizations since February 2023, with a particular focus on the satellite, defense, and pharmaceutical sectors. The goal of the campaign appears to be espionage. In a small number of cases, the threat actor succeeded in breaching organizations and exfiltrating data. Microsoft says, “The capabilities observed in this campaign are concerning as Microsoft saw Peach Sandstorm use legitimate credentials (gleaned from password spray attacks) to authenticate to targets’ systems, persist in targets’ environments, and deploy a range of tools to carry out additional activity. Peach Sandstorm also created new Azure subscriptions and leveraged the access these subscriptions provided to conduct additional attacks in other organizations’ environments.”

Dave Bittner: In full disclosure, we note that Microsoft is a CyberWire partner.

Cyberattack against telecom provider affects Colombian government, corporate online operations.

Dave Bittner: An incident broadly characterized as a cyberattack that began Tuesday hit Colombian telco IFX Networks and has affected the company's customers. According to statements by Colombia's ICT Ministry these include some seven-hundred-sixty companies in Latin America as well as at least twenty Colombian government agencies. The agencies include the health ministry, the health regulator, and the superior council of the judiciary. Colombia's cybersecurity unit, PMU Ciber, has established a command post to cope with the emergency. The judiciary seems to have been particularly hard-hit, and many courts will suspend operations until September 20th. Colombia Reports says that early indications are that IFX Networks was the target of a ransomware attack, obviously criminal and presumably financially motivated.

Python NodeStealer takes browser credentials.

Dave Bittner: Netskope describes a campaign that’s using Python scripts to steal Facebook business account credentials, along with all available cookies and credentials stored by the browser. The malware is a new version of NodeStealer, distributed via Facebook Messenger: “The new NodeStealer variant we detected was hosted on the Facebook CDN and was sent to victims as an attachment in Facebook messages. Images of defective products were used as bait to convince owners or admins of Facebook business pages to download the malware payload. Unlike previous NodeStealer campaigns, this one uses a batch file instead of an executable as the initial payload.”

Dave Bittner: It can be easy to forget that stuff stored in the browser, even cookies, can be valuable. (But NodeStealer remembers.)

Caesars Entertainment files its 8-K.

Dave Bittner: We turn now to the recent attacks on Las Vegas casinos.

Dave Bittner: As expected, Caesars Entertainment filed its 8-K with the SEC yesterday, at roughly noon Eastern Time. The company said that its "customer-facing operations, including our physical properties and our online and mobile gaming applications," were unaffected. But "customer-facing operations" don't extend to all customer data. In particular, Caesar's loyalty program database was compromised. The information acquired by "an unauthorized actor" includes "driver’s license numbers and/or social security numbers for a significant number of members in the database." The company is continuing to investigate, but so far has found no signs that member credentials, bank account information, or paycard data were exposed. Despite that preliminary finding, Caesars is extending credit monitoring and identity theft protection to affected customers, whom it will be notifying over coming weeks.

Dave Bittner: Caesars said, "We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result." This has been widely interpreted as an acknowledgement that the company negotiated a ransom payment with the criminals who took its data. The Wall Street Journal put the amount of ransom paid at $15 million, half the $30 million the attackers demanded.

Dave Bittner: In addition to hardening its own systems, the company said it had "taken steps to ensure that the specific outsourced IT support vendor involved in this matter has implemented corrective measures to protect against future attacks that could pose a threat to our systems." Caesars said it had incurred some expenses due to the attack, and might incur others as investigation and remediation proceed. It also acknowledged the difficulty of predicting the incident's effect on guest behavior. Nonetheless, "we currently do not expect that [the incident] will have a material effect on the Company’s financial condition and results of operations."

Dave Bittner: So Caesars has made its assessment of materiality and decided that, for now at least, the incident is unlikely to have a material impact.

Some MGM Entertainment systems remain down.

Dave Bittner: The other casino operator under attack this month is MGM Entertainment. Cyber criminals appear to have stolen six terabytes of data from MGM Resorts and Caesars Entertainment, Reuters reports.

Dave Bittner: Scattered Spider, an anglophone affiliate of ALPHV, has been talking up its attack against MGM Resorts in particular. Members of the group have been boasting in their Telegram channels that their original plan was to rig slot machines and use money mules to drain them, but, when that didn't work out, they fell back on traditional social engineering to gain access to the company's systems in a ransomware operation. The Financial Times writes that the Spiders "evaded detection from the company’s security team by using common remote login software, and access to MGM’s corporate VPN to impersonate an employee’s digital footprint. They ran their malware remotely and claim to have penetrated the system within five hours of starting the attack, and evaded detection for eight days."

Dave Bittner: A principal key to the gang's social engineering success is its members’ native proficiency in English and good idiomatic control, which rendered their approach more plausible that the usual "Hello Dear One" phishing emails so many non-native-speaking gangs use.

Dave Bittner: The AP reports that some MGM Entertainment systems remain unavailable in the aftermath of the attack. According to BleepingComputer, there was more to the attack than data theft. The attackers claim they also encrypted more than 100 ESXi hypervisors. A statement by ALPHV (also known as BlackCat) said, “After waiting a day, we successfully launched ransomware attacks against more than 100 ESXi hypervisors in their environment on September 11th after trying to get in touch but failing. This was after they brought in external firms for assistance in containing the incident.”

Dave Bittner: BleepingComputer also cites researchers at Mandiant who see a possible overlap between Scattered Spider and the Lapsu$ Group. In addition to overlapping tactics, there's an unusual demographic similarity that circumstantially suggests a connection: both groups are largely composed of English-speaking teenagers and young adults. They are breaking their parents’ hearts.

Third-party incident affects Manchester police.

Dave Bittner: And, finally, someone is really after the police in the UK. A ransomware attack against a third-party vendor has led to the theft of personal data belonging to Manchester police officers, BleepingComputer reports. Greater Manchester Police (GMP) Assistant Chief Constable Colin McFarlane said in a statement, “We are aware of a ransomware attack affecting a third-party supplier of various UK organisations, including GMP, which holds some information on those employed by GMP. At this stage, it’s not believed this data includes financial information.”

Dave Bittner: The Record notes that the UK’s National Crime Agency is, unsurprisingly, assisting in the investigation. To the NCA and the Greater Manchester Police, we wish you good hunting and some quick collars.

Dave Bittner: Coming up after the break, Betsy Carmelite from Booz Allen speaks about how to leverage cyberpsychology. Ron Reiter of Sentra outlines the threats for connected cars. Stay with us. [ Music ] We've grown accustomed to the reality that our connected mobile devices are continuously gathering and sharing all sorts of information about us. And many of us put in a serious effort to minimize that data gathering. But there's another truly mobile device that often gets overlooked, our cars. Ron Reiter is co-founder and CTO at data security firm Sentra.

Ron Reiter: There is basically two different challenges that connected cars have to deal with in terms of cybersecurity. So, we have touched both of them. So, the first one is the privacy aspect, right? So, there is, you know, terabytes of information collected every day from these connected cars. Information like where are you right now, who is in the car, how awake are you, where are you looking, what are you saying, you know. It's basically the most intimate parts of your life are being recorded and uploaded to the cloud for, you know, many different purposes whether it's for training models for connected cars so they can eventually provide the capability of autonomous driving, whether it's for security aspects, whether it's for functionality-wise, right, you want to have some sort of a safety mechanism on the road, and you have to maybe know, you know, how fast you're driving or who's driving fast near you. So, there is many different reasons that data needs to be collected but I think the core issue that needs to be addressed is the privacy aspect because if people would have access to this type of information on other people, it's definitely the most intimate type of information that one can collect on a person. So, I think that's the first challenge that we have to address and face and understand, you know, to understand how the data is being protected, how privacy is being preserved, when is the data deleted, what happens if, you know, a user, you know, is concerned about where his data is going like which third-party vendors are using it. So, that's one big aspect. And again, as you said, you've touched the second aspect which is the security aspect, right? So, obviously, the most frightening I would say scenario would be to have some hacker control your car and drive you into, you know, a cliff, right, without you noticing. That's really like the nightmare. And, you know, unfortunately, I would have to say that, you know, I'm pretty sure it would eventually happen. There is virtually no way to actually avoid such a terrible scenario because the shift to connect cars to the internet is so strong, and the developers and the security of the software of these machines are so complicated that it's virtually impossible to avoid in 100% of the cases a cybersecurity breach that would severely impact or be fatal to a person. So, I think, you know, both are very important to protect and they require different technologies and practices but that's definitely the two major challenges.

Dave Bittner: And where do we stand right now when it comes to a regulatory regime? I mean, do the manufacturers have a responsibility to allow buyers to opt out of these things?

Ron Reiter: So, first of all, there is GDPR, CCPA, and all the data privacy, data regulation frameworks that already exist today. And they are -- you know, they're also effectively basically guaranteeing that the user will also be protected under the connected car scenario. The user cannot have its data collected without proper consent, without the ability to delete the data, without the understanding of who else is getting the data from him, for a vendor -- a third-party vendor also gets the data from the data collector. The customer must also know which vendors are accepting the data. So, in that sense, I think the data privacy frameworks are pretty much adequate in terms of controlling that aspect. So, I would say I think today in today's world, we are covered. I would say I'm not into the details in terms of, you know, how Tesla operates, for example, but it is possible that in order to have a Tesla, it would be virtually impossible to drive a Tesla without consenting to data collection. So, and it makes sense. Again, I'm not sure, I'm not -- I haven't read all the details of the terms of service of a Tesla car but, you know, it very much is possible that the only way to avoid in the future the connected car experience is to not have a connected car. I think that's probably where we're going because a lot of the features that cars will eventually have actually would require being connected to the cloud. It would just make the developers of cars much -- it makes them -- it makes the work for them easier, right, if they require, you know, some sort of internet connectivity so they can, you know, offload some of the work to the cloud. So, I think that's kind of inevitable. But today it's not the case, today a car is very much, you know, self-sustaining. But as time goes on, I think that connectivity kind of becomes abundant and trivial, I think it will be more and more a requirement to, you know, be connected to the cloud and to collect data if you'd actually want to use the features of the connected car.

Dave Bittner: We can see a resurgence in interest in '67 Chevies, right?

Ron Reiter: Yeah. Definitely.

Dave Bittner: What are your recommendations then, I mean, for folks who are interested in these features but also mindful of their privacy and safety, how should they be coming at this? Is this the matter of your going through all the menus in the car, reading the user manual, that sort of stuff?

Ron Reiter: Yeah, I would say at the end of the day, there's probably no way to escape having both the data being collected and utilizing, fully utilizing all the different features of the car. I would say some maybe aspects would, you know, allow a driver to disallow the use of, you know, his data being passed for advertising purposes, right? But so he might go through all the menu and then find some options that would restrict the data collection or what the company can do with it. But at the end of the day, once you buy a car from a very specific vendor, I would say the vendor would almost always by default require the data collection to their own cloud. Because I think it's, you know, data is king, right, like the more data that the vendors -- that the manufacturers collect, the more the value of the company becomes, right, it goes up and up because it now has data that it collected from the cars so it can, you know, research and they can develop new technologies using this data and test it. So, I think it's something that the manufacturer, car manufacturers would never give up on, that they would never make it an optional feature.

Dave Bittner: That's Ron Reiter from Sentra. [ Music ] There's a lot more to this conversation. If you want to hear more, head on over to the CyberWire Pro and sign up for "Interview Selects" where you'll get access to this and many more extended interviews. [ Music ] And joining me once again is Betsy Carmelite. She is the Principal at Booz Allen in Hamilton for cyber defense operations. Betsy, it's my pleasure to welcome you back. You know, in a previous segment, you mentioned something called cyberpsychology and I thought that deserved a little deeper dive here today. What exactly are we talking about here?

Betsy Carmelite: So, we're seeing research. And I'm going to quote or pull from Verizon's 2023 Data Breach Investigations Report that shows that 82% of all breaches are caused by mistakes people make in the course of everyday work. So, in other words, our behavior is the target and it's often targeting that fight or flight response that we all kind of face when we're making decisions. So, traditionally, cybersecurity has been focused on protecting systems and information, but as this data makes it clear, it's not simply the networks that need protection but the people using them. So, also again, by the numbers, just 10% of attacks are the result of vulnerabilities while we're seeing the majority stem from credential harvesting, credential stealing, and from phishing.

Dave Bittner: So, is this a matter of kind of helping protect people against themselves, you know, their own human nature?

Betsy Carmelite: There are a few ways that we can help, you know, people shift their mindset and rather than relying on the security of the devices, let's -- you know, let's protect our own thinking and how we, you know, understand the adversary. And there are a few ways that we recommend that we can begin to prioritize that mindset shift to the human being the target here less the technology and the devices.

Dave Bittner: Well, let's dig into that. What do you recommend?

Betsy Carmelite: So, first understand the adversary. It's funny, I sent my daughter up the street today to play with a friend and I always say, you know, "Don't talk to strangers." You know, one of my favorite phrases is, you know, be aware of your surroundings and have that awareness, awareness, awareness. So, translating that into, you know, predictable ways that online attacks occur and how threat actors are trying to, you know, understand us, we can leverage cyberpsychology and determine what are the predictable ways that we are being scammed online. What is our awareness in our workforce? Are they trying to disable rational and clear thinking? So, what is the adversary trying to do to us? Verizon's research shows that human errors, again, remain at the top for vectors of malicious activity. They take advantage of how we work, our expectations at work. And paired with neuroscience research, that suggests the human brain will always take the easiest path. We can begin to see wires continue to lead us the reason for breaches. Understanding how to counter motives such as money, ideology, coercion, and ego can make an attack more difficult or not worth the investment. And cyberpsychology potentially shows that focusing security efforts on the ease of entry point may have a better return on investment for businesses. So, that's one way we're looking at that, how to understand the adversary.

Dave Bittner: How do you suggest an organization come at this? I mean, is it appropriate for the cybersecurity people to be handling the cyberpsychology? It strikes me that that may be a misalignment.

Betsy Carmelite: Yeah, so I'll -- that's a really good starting point for kind of the next two thoughts on how to proceed and counter this. So, number one, companies should avoid the blame game. Invest in understanding the cyberpsychology of our workforces. So, if you take this statistic, the average employee uses 16 different applications in a day to get work done. That's creating fatigue, that's creating multiple transitions in a day between or among platforms, the decisions that you have to make -- and we've talked about this on previous podcasts like cybersecurity analysts are faced with so many tasks, so much analysis, how much decision-making are they doing in the day to properly do their jobs. And these mental stressors are often the critical catalysts for, you know, missed red flags, careless errors. So, organizations can put the same amount of energy into figuring out why alerts are amiss -- why alerts are missed, what's going on in my workforce, how can I understand the psychology of my workforce. What decision-making processes occurred that led up to this point? And then after locating the root cause, prescribe corrective actions as opposed to pointing the fingers or punitive -- you know, punitive measures. And then, organizations can really model good behavior. A significant number of attacks we see today are the result of stolen credentials which means it's essential to crack down on the human side of cybersecurity. And organizations have been much too tactical we believe in the past in how they think about defending against threats. So, bringing in someone like a cyberpsychologist can help teams with stepping back, think more broadly about understanding the adversary, seeing the forest through the trees. Secondly, organizations can narrow their scope, and security teams can limit the attack path. So, one of the things that I know I've done with my team like we talk about periodically what sort of phishing campaigns are we specifically seeing and how are they specifically targeting organizations. How is our information in LinkedIn, how can that be better locked down so as to not fully expose who we are, what we're doing, what we're working on? And that's all part of monitoring the open internet too. Look at the phishing lurers and what adversaries could uncover to build a threat model and profile against us as an organization or other organizations. A lot of those recommendations really come down to, while I'm not the security team, I can also model good behavior and, you know, spread that throughout the organization and not just put the reliance on all of the security team as well.

Dave Bittner: All right. Well, Betsy Carmelite is a principal at Booz Allen, Hamilton for cyber defense operations. Betsy, thanks for joining us.

Betsy Carmelite: Thanks, Dave.

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at the cyberwire.com. Be sure to check out this weekend's "Research Saturday" and my conversation with Manuel Hepfer from ISTARI, he's sharing their research on cyber resilience. Check it out. We'd love to know what you think of this podcast, you can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Tré Hester with original music by Elliott Peltzman. The show is written by our editorial staff. Our Executive Editor is Peter Kilpe. And I am Dave Bittner. Thanks for listening. We'll see you back here next week.